Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Smart Card Centralized Registration

Microsoft Corporation

Published: June 2011

Author: Bill Mathers

Acknowledgements

Special thanks to the following people for reviewing and providing invaluable feedback for this document:

Anton Ovechkin, Microsoft

Glenn Zuckermann, Microsoft

Abstract

This document will assist architects, consultants, system engineers, and system administrators in deploying smart cards with Microsoft® Forefront® Identity Manager 2010 Certificate Management in a test lab.

Copyright

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred.

© 2010 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Forefront, MSDN, Outlook, SharePoint, SQL Server, Windows, WindowsPowerShell, and WindowsServer are trademarks of the Microsoft group of companies.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration

In This Guide

Test Lab Overview

Hardware and Software Requirements

Steps for Configuring the Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration Test Lab

Step 1: Set Up the Base Configuration Test Lab

Step 2: Set Up the Exchange Server 2010 with Service Pack 1 Test Lab

Step 3: Set Up the SQL Server 2008 Enterprise with Service Pack 2 Test Lab

Step 4: Set up the Forefront Identity Manager 2010 Test Lab

Step 5: Set up the FIM CM with Constrained Delegation, Update 1, and FIM Test Lab

Step 6: Configure CLIENT2

Install Windows 7 Professional x64 on CLIENT2

Join CLIENT2 to the CORP domain

Install the USB Smart Card Reader

Install the Gemalto Minidriver for Windows 7 Professional

Install the x86 FIM CM Client on CLIENT2

Install the x86 FIM CM Client Update 1

Step 7: Configure FIM CM for Centralized Smart Card Registration

Create the FIM CM Smart Card Subscribers group

Add members to the FIM CM Smart Card Subscribers group

Create the FIM CM Smart Card Issuers group

Add members to the FIM CM Smart Card Issuers group

Mailbox-enable User1

Create a GPO to add to Local Intranet

Create the FIMCM Smart Card Logon Certificate Template

Publish the FIMCM Smart Card Logon Certificate Template

Set the CNG Key Isolation Service to Automatic and Start the Service

Create and Configure the FIM CM Profile template

Assign the FIM CM Smart Card Issuers group the appropriate permissions to the Service Connection Point

Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIM CM Smart Card Subscribers group

Assign the FIM CM Smart Card Issuers group the appropriate permissions to the FIMCM Smart Card Logon Certificate Template

Assign the FIM CM Smart Card Issuers group and the FIM CM Smart Card Subscribers group the appropriate permissions to the Contoso Smart Card Profile Template

Step 8: Verify Centralized Smart Card Registration

Issue a smart card to Lola Jacobson

Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration

Forefront Identity Manager 2010 Certificate Management smart card centralized registration allows demonstrates how to setup FIM CM to issue smart cards for only a select group of issuers. In this model, a smart card will only be issued when the user has physically presented themselves to the smart card issuer and two forms of identification have been provided to the smart card issuer.

In this model, the following process is implemented:

1.A user arrives at the smart card issuance office.

2.The user provides to forms of identification which are verified by the smart card issuer.

3.The smart card issuer executes the request. The user enters a PIN when asked.

4.The user is handed their new smart card and may begin using it.

This document will demonstrate how to enable this functionality in a test lab.

In This Guide

This guide contains instructions for setting up a test lab based on the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration. This is achieved by configuring Forefront Identity Manager 2010 Certificate Management using the environment that was built out in the preceding test lab guides. This lab also requires a client machine, CLIENT2, with a smart card reader. For purposes of this guide, a stand-alone physical computer was used. This was required because Hyper-V does not allow for the use of USB devices and the smart card reader that was used is a USB smart card reader. The smart card reader that is used in this lab is a Gemalto GemPC Twin, but any smart card reader should work as long as the smart card reader is installed, has the correct drivers, and is working properly.

Important

This lab also requires a physical smart card. The smart cards that were used in this lab were Gemalto .NET v2+. However any smart card that is supported by FIM CM should work provided the appropriate mini-driver or middleware is installed.

The following is a brief explanation on the use of the x86 FIM CM client on a x64 OS when a 64-bit FIM CM client is available. The reason we are installing the x86 version is because the default version of Internet Explorer on Windows 7 is the 32-bit version. There currently is not a way to designate the default browser for Windows 7. In the future, we will demonstrate manager initiated workflow and this will error out if we have are using the 64-bit version of the client. This is because when you click on the link that is sent via email it will launch the 32-bit version of IE which does not have the ActiveX control installed if you installed the 64-bit client.

Attempting to adapt Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration test lab configuration to a pilot or production deployment can result in configuration or functionality issues. To ensure proper configuration and operation for your pilot or production Forefront Identity Manager 2010 Certificate Management deployment, use the information in Deployment (

Test Lab Overview

In this test lab, Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration is deployed with:

One new client running Windows® 7 Professional Edition x64 named CLIENT2.

One preexisting server running the FIM CM Portal named FIMCM1.

One preexisting server running SQL Server® 2008 Enterprise with Service Pack 2, named APP1.

One preexisting server running WindowsServer® 2008 R2 Enterprise Edition, named DC1.

Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration uses the following subnet:

The intranet established by the Base Configuration Test Lab Guide, referred to as the Corpnet subnet (10.0.0.0/24).

Computers on each subnet connect using a hub or switch. See the following figure.

This test lab will guide you through the Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration configuration process. The purpose of this test lab is to allow for the creation of a basic test lab environment that consists of Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration.

Hardware and Software Requirements

There following table provides a list of software used in this guide.

Software / Additional information
Forefront Identity Manager 2010 Certificate Management Client / Forefront Identity Manager 2010 (
Forefront Identity Manager 2010 Certificate Management Client Update (KB978864) / This is a recommended update for the RTM of Forefront Identity Manager 2010 Certificate Management. This release provides additional product fixes since the last update release. (
Gemalto GemPC Twin Smart Card Reader Software / Gemalto GemPC Twin Smart Card Reader (
Gemalto .NET v2+ Smart Card Minidriver / Gemalto .NET v2+ Smart Card Minidriver ( minidriver net)

There following table provides a list of hardware used in this guide.

Hardware / Additional information
Gemalto GemPC Twin Smart Card Reader / Gemalto GemPC Twin Smart Card Reader (
Gemalto .NET v2+ Smart Card / Gemalto .NET v2+ Smart Card (
Physical computer for CLIENT2 / This is to allow for the use of the USB smart card reader. Hyper-V does not support the use of USB devices.

Steps for Configuring the Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration Test Lab

There are eight steps to follow when setting up the Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service test lab based on the Test Lab Guide: Demonstrating Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service.

Step 1: Set up the Base Configuration—The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.

Step 2: Set up the Exchange Server 2010 with Service Pack 1 TLG—The second step is to complete the Exchange Server 2010 with Service Pack 1 test lab guide. This provides Active Directory® attributes and e-mail functionality for FIM CM.

Step 3: Set up the SQL Server 2008 Enterprise with Service Pack 2 TLG—The third step is to complete the SQL Server 2008 Enterprise with Service Pack 2 test lab guide. This provides the database server for your FIM CM installation.

Step 4: Set up the Forefront Identity Manager 2010 TLG—The fourth step is to complete the Forefront Identity Manager 2010 test lab guide. This provides FIM to the test lab environment.

Step 5: Set up the FIM CM with Constrained Delegation, Update 1, and FIM TLG— The fourth step is to complete the FIM CM with Constrained Delegation, Update 1, and FIM Test Lab guide. This provides FIM CM to the test lab environment.

Step 6: Configure CLIENT2—The sixth step walks you through configuring CLIENT2, joining the domain and installing the FIM CM client.

Step 7: Configure FIM CM for Centralized Smart Card Registration—The seventh step walks you through configuring FIM CM to enable centralized smart card registration.

Step 8: Verify Centralized Smart Card Registration— The eight step includes verifying that centralized smart card registraion is working successfully.

This guide provides steps for configuring the computers Forefront Identity Manager 2010 Certificate Management Centralized Smart Card Registration. The following sections provide details about how to perform these tasks.

Step 1: Set Up the Base Configuration Test Lab

Set up the Base Configuration test lab for both the Corpnet and Internet subnets using the procedures in the “Steps for Configuring the Corpnet Subnet” and “Steps for Configuring the Internet Subnet” sections of the Test Lab Guide: Base Configuration (

Step 2: Set Up the Exchange Server 2010 with Service Pack 1 Test Lab

Set up the Exchange Server 2010 with Service Pack 1 test lab using the procedures outlined in Test Lab Guide: Exchange Server 2010 with Service Pack 1 (

Step 3: Set Up the SQL Server 2008 Enterprise with Service Pack 2 Test Lab

Set up the SQL Server 2008 Enterprise with Service Pack 2 test lab using the procedures outlined in Test Lab Guide: SQL Server 2008 Enterprise with Service Pack 2 (

Step 4: Set up the Forefront Identity Manager 2010 Test Lab

Set up Forefront Identity Manager 2010 test lab using the procedures outlined in Test Lab Guide: Forefront Identity Manager 2010 (

Step 5: Set up the FIM CM with Constrained Delegation, Update 1, and FIM Test Lab

Set up Forefront Identity Manager 2010 Certificate Management with Consrained Delegation, Update 1 and FIM test lab using the procedures outlined in Test Lab Guide: Installing Forefront Identity Manager Certificate Management with Constrained Delegation, Update 1, and FIM 2010 (

Step 6: Configure CLIENT2

CLIENT2 configuration for the Forefront Identity Manager 2010 Certificate Management User Smart Card Self-Service test lab consists of the following:

Install Windows 7 Professional x64 on CLIENT2

Join CLIENT2 to the CORP domain

Install the USB Smart Card Reader

Install the Gemalto Minidriver for Windows 7 Professional

Install the x86 FIM CM Client on CLIENT2

Install the x86 FIM CM Client Update 1

Install Windows 7 Professional x64 on CLIENT2

Install the Windows 7 Professional operating system on CLIENT2.

To install Windows 7 Professional x64 on CLIENT2

1.Start the installation of Windows 7 Professional x64.
2.Follow the instructions to complete the installation, specifying CLIENT2 as the PC name and a strong password for the local Administrator account.
3.Once the installation completes, log on using the local Administrator account.
4.Connect CLIENT2 to a network that has Internet access and run Windows Update to install the latest updates for Windows 7 Professional.
5.Once the updates are complete, restart CLIENT2 and log on as the local Administrator.

Join CLIENT2 to the CORP domain

Now join CLIENT2 to the corp.contoso.com domain.

To join CLIENT2 to the CORP domain

1.Click Start, right-click Computer, and then click Properties.
2.On the System page, under Computer name, domain, and workgroup settings click Change Settings.
View basic information about your computer

3.In the System Properties dialog box, on the Computer name tab, click Change.
4.Under Member of, select Domain, and enter corp.contoso.com in the box. Click OK.
5.When you are prompted for a user name and password, type the user name and password for the User1 account, and then click OK.
Note
You can also use the CORP\Administrator account to join CLIENT2 to the domain.
6.When you see a dialog box welcoming you to the corp.contoso.com domain, click OK.
7.When you are prompted that you must restart the computer, click OK.
8.On the System Properties dialog box, click Close.
9.When you are prompted to restart the computer, click Restart Now.
10.After the computer restarts, click Switch User, and then click Other User and log on to the CORP domain with the Administrator account.

Install the USB Smart Card Reader

Install the USB Smart Card Reader on CLIENT2.

To Install the USB Smart Card Reader on CLIENT2

1.Navigate to the directory that contains the GemPcCCID_201_en-us_64.exe and begin the installation.
2.Follow the instructions to complete the installation.
3.Once the installation completes click Finish.
4.Now plug the USB smart card reader into CLIENT2.
5.Windows 7 will automatically detect the USB smart card reader and install the driver.

Install the Gemalto Minidriver for Windows 7 Professional

Now install the Gemalto Minidriver for Windows 7 Professional.

To Install the Gemalto Minidriver for Windows 7 Professional

1.Navigate to the directory that contains the AMD64_X86-ar_bg_zh-tw_cs_da_de_el_en_es_fi_fr_he_hu_it_ko_nl_n...br_ro_ru_hr_sk_sv_th_tr_sl_et_lv_lt_zh-cn_pt_ja-nec-20395701_92604914396b1e89d0c78b2fad2f05fe80754d66 .cab file and double-click it.
2.This will open the cab file and there will be four files present. Highlight all four files and at the top select Extract.
Gemalto Minidriver

3.In the Select a Destination dialog box, navigate to the C:\ drive and click Make new folder.
4.Rename the folder Gemalto Minidriver and click Extract.
5.Now insert a smart card into the smart card reader. This will bring up a window that says installing driver. Then it will say Device driver software was not successfully installed.
6.Click Start and select Devices and Printers. This will bring up Devices and Printers.
Devices and Printers

7.You will see Smart Card with a yellow triangle on it. Double-click on the smart card. This will bring up the Smart Card Properties. At the top, click the Hardware tab.
Smart Card Properties

8.On the Hardware tab, click the Properties button. This will bring up Smart Card Properties.
Smart Card Properties

9.On the General tab click Update Driver. This will bring up the Update Driver Software – Smart Card dialog box.
10.On the Update Driver Software – Smart Card dialog box, click on Browse my computer for driver software. This will bring up the Browse for driver software on your computer dialog box. Click Browse.
Update Driver Software – Smart Card

11.Navigate to the newly created folder C:\Gemalto Minidriver and click OK.
12.On the Browse for driver software on your computer click Next.
13.This will install the driver successfully. When it is finished click Close.
Update Driver Software – Gemalto Minidriver for .NET Smart Card

14.On the Gemalto Minidriver for .NET Smart Card Properties click Close.
15.On the Smart Card Properties click OK.

Install the x86 FIM CM Client on CLIENT2

Now install the x86 FIM CM Client on CLIENT2.